Tap Bai Giang an Ninh Internet 5

8/3/2019 Tap Bai Giang an Ninh Internet 5

1/31

Chng 5: An ninh Internet da trn IDS&IPS

CHNG 5

AN NINH INTERNET DA TRN IDS&IPS

A. MC TIU CHNG

1. V KIN THC:

Cung cp cho sinh vin nhng kin thc v:

- Cc h thng IDS&IPS

- S khc nhau gia HIDS v NIDS

- Vai tr ca IDS&IPS trong chnh sch m bo an ninh cho mng ni b

- Cu hnh ca cc h thng NIDS v IPS

2. V K NNG:

Sau khi hc xong chng ny sinh vin c th:

- Phn bit cc loi IDS

- Phn bit s khc nhau v vai tr gia IDS v IPS

- Xy dng cc h thng m bo an ninh da trn IDS v IPS

Su tm/Bin son: Nguyn Kim Tun 99


2/31


B. NI DUNG CHNG HC

V.1. Gii thiu v phn loi IDS

V.1.1. Gii thiu v IDS & IPS

Pht hin xm nhp l mt trong nhng cng c bo mt mng, n dng bo v

mng T chc trc nhng s tn cng, n c th nhn dng mt hacker v chng li

vic xm nhp ca hacker h thng. Trc khi tho lun chi tit v pht hin xm nhp,

chng ta xem xt n trn kha cnh thc t.

H thng pht hin xm nhp (Intrusion Detection System - IDS): l mt khi

nim xut hin t rt lu. Mt trong nhng dng sm nht l: nhng ngi gc m

v nhng con ch canh cng. Trong trng hp ny, nhng ngi gc m v nhng con

ch canh cng phc v cho 2 chc nng l: cung cp nhng phng tin nhn ra

nhng iu bt thng xy ra v cung cp nhng phng tin ngn chn th phm.

Thng th k trm khng my mn m vi vic i ph vi nhng ch ch, v th chng

thng khng tin hnh ly trm nhng to nh c canh gi bi nhng ch ch.

iu cng hon ton ging vi vic i ph vi nhng ngi gc m. Nhng tn

trm cng khng mun b pht gic bi mt ngi gc m.

H thng bo ng trm v h thng bo ng ca xe hi cng l mt trong nhng

dng ca IDS. Nu h thng bo ng pht hin ra mt s vic bt thng th n s a

ra thng bo (nh vic p v ca s hoc m mt ca ra vo): h thng s c n bt

sng nhp nhy ln, mt m thanh bo ng c ct ln, hoc l t ng bo ng gi

cho cnh st. Chc nng ngn chn c th c gn ca ra vo hoc pha trc sn nh.

Cc xe hi thng c mt ci n nhn thy c trn bng iu khin l du hiu

cho bit h thng bo ng hot ng.

Tt c nhng v d ny u cho thy mt vn n gin vi mc ch ch cht

sau: pht hin ra nhng s xm nhp vo phm vi c bo v ca cc i tng c

bo v (thng mi, nh ca, xe hi, v nhiu th khc). Trong trng hp cc to nh

hay mt chic xe hi th phm vi bo v d dng c nhn dng. Nhng bc tng ca

ngi nh, mt hng ro xung quanh t ai, hay nhng ci ca ra vo, ca s ca xe hi

lm r nh ngha v phm vi bo v. Ngoi ra, cc v d trn cn nh ngha mt cch

d hiu v cc tiu chun dnh cho vic cu thnh ln mt s xm nhp v nhng cu



3/31


thnh ln phm vi bo v.

Nu chng ta em khi nim ca h thng bo ng vo th gii my vi tnh, th

chng ta s c c mt khi nim c bn v IDS. By gi, chng ta cn phi nh ngha

phm vi bo mt ca h thng my vi tnh ca chng ta l g? R rng, phm vi bo mt y khng tn ti ging nh nhng bc tng hay nhng hng ro. Thay v iu ,

phm vi bo mt ca mng c cp n l mt phm vi o xung quanh h thng my

vi tnh ca mt t chc. Phm vi ny c th c nh ngha bi: Firewalls, telecom

demarcation points, hoc destop computer vi cc moderm. N cng c th c m

rng n nhng my vi tnh gia nh ca nhng ngi lao ng, ngi m c php lin

lc t xa hoc mt i tc thng mi c php kt ni vo Internet. Ngoi ra, vi mng

khng dy cng vi th gii thng mi phm vi bo mt ca cc t chc c th c m

rng ra phm vi mng khng dy.

Hnh 5.1: Mt v d v v tr ca IDS

Mt h thng bo ng c thit k pht hin ra cc hot ng xm nhp vo

nhng khu vc c bo v khi n khng c s trng coi. Mt IDS c thit k phn

bit s khc nhau gia mt im vo c u quyn v mt nguy c xm nhp, iu

ny tht kh khn. Mt v d d hiu minh ho l: mt kho bu c gn h thng

bo ng. Nu mt ai , k c ch nhn ca n m ca kho bu th chung bo ng s

reo ln. Ngi ch nhn ny cn phi thng bo cho cng ty bo ng rng anh ta m

ca kho bu ra v tt c mi th cn nguyn vn. Mt IDS cng tng t nh th n lun

cnh gic pha trc ca cnh ca v quan st mi ngi bo h kho v tm kim cc

nguy c xm nhp.

C 2 loi IDS, l: Host-based intrucion detection system (HIDS) and



4/31


Netword-based intrucion detection system (NIDS). Mi HIDS c t trn mt

Server pht hin cc du hiu ca s tn cng qua cc host. Mt NIDS c t trn

mt h thng tch ri quan st lu lng mng, quan st cc du hiu tn cng vo cc

cng mng.V.1.2. IDS da trn host (HIDS: Host-based IDS)

Host-based IDS (HIDS): l mt h thng cc cm bin n c t trn cc

server khc nhau trong mng T chc v c iu khin bi ngi qun l trung tm.

Cc cm bin c th pht hin cc s kin khc nhau v xem xt cc hot ng trn

server hoc a ra li thng bo. Cc cm bin HIDS s xem xt cc s kin kt hp

vi cc server m n c t trn . Cc cm bin HIDS cng c kh nng quyt nhc hay khng mt cuc tn cng thnh cng k t khi cuc tn cng c tin hnh.

Nh chng ta thy, nhng khc nhau ca cc cm bin HIDS cho php chng

ta thy c s khc nhau ca cc mc ch ca IDS. Khng c mt loi cm bin no

thch hp vi mi t chc hoc k c vi mi server trong t chc . Nh vy, iu

quan trng l cn phi xc nh c cc cm bin thch hp nht cho mi server. Cng

cn phi ch rng, mt h thng HIDS s c chi ph nhiu hn mt h thng NIDS nu

nh mi server phi c mt b cm bin.

Mt vn khc ca h thng HIDS l: mt b cm bin chy trn mt server

c th chim t 5% n 15% cng sut ca CPU. Nu b cm bin c s dng trn

mt h thng ln, th iu ny c th lm nh hng n vic thc thi ca h thng.

C 5 loi cm bin HIDS c bn:

Phn tch log (Log analyzers)

Cc cm bin da trn ch k (Signature-based sensors)

Phn tch li gi h thng (System call analyzers)

Phn tch hnh vi ca ng dng (Application behavior analyzers)

Gim st tnh ton vn (File integrity checkers)

Cn phi lu rng s lng cc cm bin HIDS ngy cng gia tng v c nhiu

sn phm s dng cc chc nng v hnh vi ca chng da trn mt trong nm loi

cm bin c bn ni trn.

Phn tch log (Log Analyzers):



5/31


Log analyzer, l mt tin trnh chy trn server v quan st cc file log thch hp

ca h thng. Nu mt mc vo xut hin khng khp vi nhng tiu chun ca cc tin

trnh cm bin HIDS th s b gi li.

a s Log analyzers c cu hnh tm kim cc mc vo log, m c th ch ramt s kin bo mt. Ngoi ra, ngi qun tr h thng phi thng xuyn nh ngha cc

mc vo khc, iu ny rt quan trng.

Log analyzers l phn ng t nhin ca cc h thng. Hay ni cch khc, chng

phn ng li s thay i ca mt s kin xy ra.V vy, cn phi a ra cc thng bo

v nhng tho hip ca h thng. Trong a s cc trng hp, log analyzers khng c

kh nng ngn cn mt cuc tn cng tho hip thnh cng vi h thng.

Log analyzers l mt cch c bit hiu qu thch hp vi vic theo di hot ng

ca nhng ngi dng u quyn trn nhng h thng bn trong. Nh vy, nu mt t

chc c lin quan n vic qun tr h thng hoc cc User u quyn khc ca h thng

th mt log analyzers c th c dng theo di hot ng v chuyn bn ghi ca hot

ng ny ti mt h thng nm ngoi phm vi ca ngi qun tr hoc ngi dng.

Cc cm bin da trn ch k (Signature-Based Sensors):

Signature-based sensors c mt tp hp cc ch k s kin an ton c gn sn

ph hp vi lu lng vo hoc cc mc vo. S khc nhau gia Signature-based sensers

v Log analyzers l kh nng phn tch lu lng vo.

Cc h thng da trn ch k c kh nng quan st cc cuc tn cng vo h

thng, v th chng c th a ra nhng b sung cho vic cnh bo v cc cuc tn cng.

Tuy nhin, s tn cng s thnh cng hoc tht bi trc khi cm bin HIDS c th nm

c cc hot ng c nhng cm bin phn ng li. Mt cm bin HIDS da trnch k cng c dng theo di cc ngi dng u quyn trn cc thng bn trong.

Phn tch li gi h thng (System Call Analyzers)

System call analyzers, l phn tch nhng li gi gia cc ng dng v h iu

hnh xc nh cc s kin an ton. Loi cm bin HIDS ny c t vo mt phn

mm c chm vo gia h iu hnh v cc ng dung. Khi mt ng dng mun thc

thi mt hot ng, li gi n h iu hnh thc thi mt hot ng c phn tch

v so snh vi c s d liu ca cc ch k (signatures). Nhng ch k ny l nhng

mu khc nhau ca cc hnh vi ch ra du hiu ca mt cuc tn cng hoc mt s kin



6/31


no do ngi qun tr HIDS nh ngha.

System call analyzers khc vi Log analyzers v Signature-based HIDS sensors l

n c th ngn cn mt hot ng ang din ra. V d, nu mt ng dng thc hin mt

li gi tha hip vi ch k trn b nh m, th cm bin ny c th ngn cn li giny v ly mt khng gian b nh khc v lu li s tho hip ny vo h thng.

Ch : System call analyzers c cu hnh thch hp l mt vn quyt nh,

nu nh cu hnh khng thch hp c th l nguyn nhn tht bi ca cc ng dng. Cc

cm bin lm vic thng thng c cung cp mt kh nng chy trn m hnh th.

iu ny c ngha l cm bin ghi li cc s kin nhng li khng ly c cc hnh

ng cn phi ngn chn, v vy cu hnh c th c chy th mc d khng c cc ng

dng xc thc bi cc chc nng ca chng.

Application Behavior Analyzers:

Application behavior analyzers cng ging vi System call analyzers chng cng

thc thi mt phn mm c chm vo gia cc ng dng v h iu hnh. i vi

Application behavior analyzers, th cm bin s nghin cu cc cuc gi nu nh ng

dng c cho php. ng hn l thc hin cc hot ng nu nh n tm thy mt

cuc tn cng. V nh, mt server WEB nh thng l n cho php chp nhn cc kt

ni t mng cng 80. Nu mt server WEB c gng thc hin ghi file, c file t mt

ni khc, hoc m ra cc kt ni mng mi, th cm bin s xem xt cc hnh vi khng

thch hp v chn cc hot ng li.

Trong cu hnh cc cm bin, cn phi to ra mt danh sch cc hot ng hp l

ca mi ng dng. Cc nh cung cp cc sn phm ny thng c nhng mu hp l

dnh cho cc ng dng ph bin. Cc nhm pht trin ng dng s phi phn tch v

nghin cu nhng g h cho php lm v iu ny s phi lp trnh trn cc cm bin.

Gim st tnh ton vn (File Integrity Checkers):

File integrity checkers, l kim tra nhng thay i trn file. iu ny c hon

thnh thng qua vic s dng m ho Check Sum hoc Digital Signature ca file. Ch k

kt qu s b thay i nu nh c mt vi bt b thay i trong cu trc ca file Cc thut

ton dng cho qu trnh ny c pht trin tin hnh cc k kh khn i vi vic

thay i thch hp s cho php cc ch k ging nhau.

Trn cu hnh ban u ca cm bin, s thay i ca mi file s c theo di



7/31


thng qua gii thut to ra mt ch k ban u. Ch k ny s c ct gi ti mt v

tr an ton. Theo nh k, mi ln theo di file s so snh ch k ca n vi bn chnh.

Nu chng ph hp, th file khng thay i. Nu chng khng ph hp th file c

s thay i.Ch : Kiu cm bin ny i hi vic cu hnh phi tt. Nu vic t chc khng

tt th cm bin s pht hin tt c nhng file thay i m thc t l file hp php.

Nhng cm bin khng nhn ra trc khi pht hin ra iu ny.

File integrity checker khng a ra bt k ch nh no v mt s xm nhp,

nhng n a ra kt qu chi tit ca cuc xm nhp. Nh vy, nu mt server Web b

xm nhp th chnh s xm nhp s khng b nhn ra, nhng nhng kiu tha hip ca h

thng khc th b pht hin v s xm nhp lm thay i file h thng.

V.1.3. IDS da trn mng (NIDS: Net-based IDS)

NIDS thc ra l mt phn mm x l dnh cho mt h thng phn cng chuyn

dng. NIDS c t trn card giao din mng trn h thng vi ch pha tp, c ngha

l card kim sot tt c lu lng trn mng (hn l ch lu lng dnh cho h thng )

ti phn mm NIDS. Lu lng c phn tch theo mt tp hp quy tc v cc ch k

tn cng xc nh phi chng l lu lng cn quan tm. Nu ng, th mt s kin

c pht sinh.

Hin ti, cc h thng NIDS ch yu da trn cc ch k. C ngha l mt tp hp

cc ch k tn cng c xy dng vo trong cc h thng v nhng ch k ny c

so snh da vo lu lng trn ng truyn. Nu mt cuc tn cng c trin khai

khng nm trong file ch k, th NIDS s khng nht n ln. Cc h thng NIDS cng

c kh nng gim st lu lng c bit lin quan n a ch ngun, a ch ch, cngngun, hoc cng ch. iu ny cho php cc t chc nh ngha lu lng kim sot

cc vn bn ngoi ca cc ch k tn cng.

Ch : Cc h thng NIDS da trn cc s kin bt thng bt u xut hin

trn th trng. Cc h thng ny tm kim nhng s bt thng trong lu lng mng

pht hin ra cc cuc tn cng. S hu dng ca loi h thng ny cha c kim chng

trong thc t.

Cu hnh ph bin nht nht cho mt NIDS l dng hai card giao din mng. Mt

card c dng kim sot mt mng. Card ny c t trong mt ch giu dim



8/31


(stealthy) n khng c mt a ch IP bi vy khng p ng cc kt ni u vo. Card

stealthy khng c ranh gii ngn xp giao thc ti n, v vy n khng th tr li ti

mt s thm d nh mt lnh ping. Card th hai c dng giao tip vi h thng

qun l IDS v a ra nhng li cnh bo. Card ny c gn ti mt mng trongkhng th thy c bi mng c theo di.

Hnh 5.2: H thng mng vi cc NIDS

Thun li ca mt h thng NIDS:

NIDS c th c n i hon ton trn mng v vy mt k tn cng s khngbit c hn ang b kim sot.

NIDS n l c th c dng kim sot lu lng ln ca cc h thng

ch. NIDS c th bt gi ni dng ca hu ht cc gi tin i vo mt h thng ch.

Hn ch ca mt h thng NIDS:

NIDS ch c th bo ng khi lu lng mng khp vi cc qui tc trc khi

cu hnh hoc cc ch k. NIDS c th o khng ng lu lng ca bng thng c s dng hoc nh



9/31


tuyn lun phin.

NIDS khng th a ra quyt nh khi mt cuc tn cng c thc hin

thnh cng. NIDS khng th kim sot c lu lng khi n c m ho.

Cc mng chuyn mch yu cu mt s cu hnh c bit NIDS c th thy

c tt c lu lng mng.

Kh c th so snh v hai loi IDS: C hai u c nhng thun li v hn ch

ring, trong khi NIDS c hiu qu v kinh t (NIDS n l c th kim sot lu lng

ln ca cc h thng), th HIDS c th thch hp vi nhng t chc c lin quan n

quyn s dng ca nhng ngi s dng trong t chc hn l dnh chng li cc

hacker.

V.2. Thit k mt IDS

V.2.1. Xc nh mc tiu ca IDS

c c mt IDS hiu qu nht, cn phi ln k hoch trc. Chun b trc

khi thit lp mt chnh sch thch hp, thng tin cn c tp hp, mng cn c phn

tch, v phi tin hnh qun l cc ri ro. Vi mt h thng phc tp, cc chnh sch cn

phi c to hp l v kim tra trc khi pht trin. Cc bc cn thit to cc chnhsch ca mt IDS: nh ngha cc mc ch s dng IDS; La chn nhng g cn kim

sot; La chn cc phn hi; Thit lp cc ngng; Ci t chnh sch.

Cc mc ch s dng IDS cung cp cho vic yu cu cc chnh sch IDS. Cc

mc ch c la chn da vo cc yu t sau:

Pht hin cc cuc tn cng

Chng li cc cuc tn cng Pht hin s vi phm chnh sch

p buc cc chnh sch s dng

p buc cc chnh sch kt ni

Tp hp du hiu

Cn phi ghi nh rng cc mc ch c th c phi hp v cc mc ch thc t

cho bt k IDS no ph thuc vo t chc ang trin khai n. y cha phi l mt danhsch y . IDS c th cho php mt t chc pht hin ra khi mt s tn cng bt u v



10/31


cho php tp hp du hiu hoc ngn chn thit hi thm bng cch kt thc bin c. Tt

nhin, khng phi l mc ch duy nht m mt IDS c th phc v. Mt khi IDS thu

thp thng tin chi tit v nhng s kin xy ra trn cc h thng mng v my vi tnh ca

mt t chc, n cng c th xc nh c nhng hot ng xm phm chnh sch vcch dng thc t nhng ti nguyn mng.

S on nhn tn cng: S on nhn tn cng l chc nng thng dng

nht ca mt IDS. IDS l mt chng trnh tm kim cc kiu s kin nht nh no

, m t c th xc nh c mt s tn cng ang xy ra. Mt v d n gin, c

th l mt kt ni ti TCP cng 80 (HTTP) i theo bi mt URL bao gm phn m rng

l .bat. y c th l mt s biu hin ca mt k xm nhp ang c gng tin hnh tn

cng vo mt my ch WEB IIS.

a s cc ch k tn cng khng d dng nhn ra. V d, cc cuc tn cng kiu

on mt khu vn thng xuyn xy ra trn khp Internet. Mt HIDS c th c mt

quy tc l tm kim ba ln th ng nhp b tht bi bi mt account trong mt khong

thi gian ngn. lm c iu ny, HIDS phi theo di thi gian v s ln th ng

nhp tht bi ca mi account c lu li trn cc file log, v cn phi xc lp li s ln

m nu nh ng nhp thnh cng hoc ht khong thi gian c hiu lc.Mt v d phc tp hn v s on nhn tn cng l, mt k xm nhp th

on mt khu thng qua nhiu ti khon v nhiu h thng. Trong trng hp ny, k

xm nhp c th khng th ti khon hai ln k tip nhng thay vo th dng cng

mt mt khu trn mi ti khon t vo cc h thng. Nu thi gian dnh cho vic

th di, th khong thi gian dnh ring cho mi ti khon ht hiu lc trc khi k

xm nhp tht bi ba ln trn mi ti khon cho. Cch duy nht xc nh c s

tn cng kiu ny l phi kt ni thng tin tm thy trong mt s file log trn cc h thng

khc nhau. Mt HIDS c th kt ni thng tin thng qua cc h thng c th thc hin

c kiu phn tch ny.

Chnh sch kim sot: Chnh sch kim sot l tng t nh pht hin tn

cng. Mc ch ca mt IDS c cu hnh thc hin cc chnh sch kim sot n

gin vic kim sot tun theo hoc khng tun theo cc chnh sch ca cng ty. Trong

trng hp n gin nht, mt NIDS c th c cu hnh kim sot tt c lu lngmng ra ngoi mng. Cu hnh ny cho php NIDS kim sot bt k s khng tun theo



11/31


no vi cc chnh sch s dng Internet. NIDS c th cnh bo i vi bt k kt ni no

n cc v tr nu n khng ng vi cc tiu chun c s dng trong h thng.

Mt NIDS cng c th kim sot da vo b nh tuyn hoc cc cu hnh ca

Firewall. Trong trng hp ny, NIDS c cu hnh tm kim lu lng m bRouter hoc Firewall khng cho php chuyn qua nu bt k lu lng no nh th c

nhn ra, th mt s xm phm ca chnh sch Firewall c ch ra.

Chnh sch p buc: Vic s dng mt IDS nh mt cng c p buc chnh

sch ly cu hnh ca Chnh sch kim sot nh mt bc b sung. i vi chnh sch

p buc, IDS c cu hnh bt hot ng khi mt s xm phm chnh sch c pht

hin ra. Trong v d u tin phn Chnh sch kim sot, chnh sch p buc IDS

khng ch nhn ra rng mt kt ni ang c gng kt ni n mt Website khng c

chp nhn m n cn c th a ra s ngn chn kt ni.

S phn hi cc bin c: Mt IDS c th l mt cng c c gi tr sau khi

mt bin c c xc nh. Trong khi IDS c th c dng xc nh bin c ban

u, mt bin c xy ra IDS c th s dng nh mt cng c thu thp du hiu v ghi

li d liu. Trong vai tr ny, mt NIDS c th c cu hnh tm kim cc kt ni

nht nh v cung cp vic ghi li d liu lu lng y . Cng lc, mt HIDS c thc cu hnh gi li mt bn ghi ca tt c cc mc ghi vo file log c lin quan n

mt ti khon c bit trn h thng.

V.2.2. Chn i tng theo di

Ni dung kim sot ph thuc vo mc ch ca IDS v mi trng IDS s hot

ng. V d, nu mc ch ca IDS l pht hin cc cuc tn cng v IDS c t trn

Internet bn ngoi Firewall ca cng ty, IDS s cn phi kim sot tt c lu lng i vobn trn Firewall xc nh cc cuc tn cng trc din. Cch khc, IDS c th c

t trong Firewall ch xc nh cc cuc tn cng xm nhp thnh cng vo

Firewall. Bng 5-1 cung cp cc v d v nhng g phi kim sot a ra cc chnh

sch c bit.

S la chn phi kim sot ci g nh hng n vic sp xp cc cm bin.

Cc cm bin c th c t bn ngoi Firewall, bn trong mng, trn cc h thng d b

xm nhp, hoc trn cc h thng c dng c bit cho vic tp hp file log v s x

l. Vn ch o l khi quyt nh sp t cm bin IDS th cm bin phi c kh nng



12/31


kim sot c cc s kin cn quan tm, lu lng mng ca chng hoc cc mc c

ghi li. Nu cc s kin cn quan tm khng vt qua c Firewall th im t cm

bin NIDS bn trong Firewall khng phi l mt s la chn tt. Tng t, nu cc s

kin c quan tm ch c ghi vo cc my ch iu khin vng ca mt mngWindows NT, th phn mm HIDS phi c t trn my ch iu khin vng chnh v

mt k tn cng c th v mt vt l nm mt trm lm vic u trong mng.

Chnh sch NIDS HIDS

Pht hin cc cuctn cng

Tt c lu lng c kh nngi vo h thng ch(Firewalls, Web servers,Application servers, v

v)

Tht bi trong cc ln th ngnhpCc ln th kt ni.

Cc ng nhp thnh cng tcc h thng t xa

Ngn chn tn cng Ging nh vic pht hin cccuc tn cng

Ging nh vic pht hin cccuc tn cng.

Pht hin vi phmchnh sch

Tt c lu lng HTTP btngun t cc h thng client.Tt c lu lng FTP btngun t cc h thng client.Cc kt ni c nhn bit

trn cc cng game.

Cc kt ni HTTP thnh cng.Cc kt ni FTP thnh cng.Cc file c download.

Cng bc ccchnh sch s dng

Ging nh vic pht hin ccs vi phm chnh sch.

Ging nh vic pht hin cc svi phm chnh sch.

Cng bc ccchnh sch kt ni.

Tt c lu lng v phmchnh sch sch kt ni bcng bc.

Cc kt ni thnh cng t cca ch hoc cc cng b ngnchn.

Tp hp du hiu Cc ni dung ca ton b lulng bt ngun trn h thngch hoc h thng tn cng.

Tt c cc kt ni thnh cng th thng tn cng.Tt c cc kt ni khng thnhcng t cc h thng tn cng.Tt c cc phm c g trn

bn phm t cc phin tng tcca cc h thng tn cng.

Bng 5-1: Cc v d v thng tin kim sot a ra mt chnh sch IDS.

C mt kin ch o khc cn phi xem xt khi t cc cm bin NIDS. Nu

mng s dng cc Switche thay v Hub, th cm bin NIDS s khng hot ng mt cch

ng n nu n phi c kt ni n mt cng ca Switch. Switch s ch gi lu lngcho bn thn cm bin n cng m cm bin ny c cm vo. Trong trng hp ca



13/31


mt mng Switch, c la chn mt trong hai cch sau dng cc cm bin NIDS: S

dng Switch kim sot cc cng hoc dng cho mt nhnh mng.

Vic s dng b kim sot cng c th to ra mt xung t vi nhn vin qun tr

mng nh cng ny cng c th c dng cho vic d li mng. Ngoi ra, cc bSwitch ch cho php kim sot mt cng ti mt thi im. B kim sot cng thng

khng cho php kim sot Switch BackBone. iu ny s khng lm vic trong bt k

trng hp no trong khi switch backbone ph hp vi vic chy tc vi giga

bt/giy cn cm bin NIDS ang s dng mt kt ni 100BaseT ( 100 mega bt/giy).

Mt kt ni nh vy s ngn chn NIDS truyn ti, v vy vic kt thc cc kt ni

thng khng th thc hin c trong cu hnh ny.

V.2.3. Chn thng tin phn hi

Ging nh vic la chn ni dung kim sot. La chn s phn hi b nh hng

bi cc mc ch ca IDS ca bn. Khi mt s kin xy ra, bn c th chn mt s phn

hi th ng (mt s phn hi khng trc tip ngn chn cc hot ng ca k tn cng)

hoc mt s phn hi ch ng (mt s phn hi trc tip c gng ngn chn cc hot

ng ca k tn cng). Cc phn hi th ng khng nht thit gi rng bn s cho

php mt s kin tip tc, nhng tt hn bn chn la khng cn IDS ca bn a ra

cc hot ng trc tip ca n. y l mt s phn bit quan trng cn phi ghi nh.

Cng s la chn mt s phn hi t ng chng li mt s phn hi c iu khin

bi con ngi phi c cn nhc.

S phn hi th ng:Mt s phn hi th ng l mt kiu thng dng nht ca hot ng khi mt s

xm nhp c pht hin. L do n gin l: cc s phn hi c mt xc sut thp canguyn nhn s nh thng n cc lu lng hp l trong khi tht d dng thc hin

bn trong mt cu thnh t ng y . Nh mt quy tc chung, cc s phn hi th

ng a ra cc dng ca vic thu thp thng tin hoc a ra nhng thng bo cho nhng

c nhn c y quyn bt cc hot ng nu cn thit.

Shunning: Trnh hoc l i mt s c gng tn cng l mt s phn hi thng

dng nht c dng hin nay. Trong a s cc trng hp, y l mt s gii hn phn

hi li ng ch sau khi mt T chc trin khai mt kt ni Internet v Firewall.

Ti im ny, T chc cn phi tin cy Firewall ngn chn cc cuc tn cng t



14/31


Internet.

S phn hi ny cng c th c dng vi mt IDS phc tp. IDS c th c

cu hnh l i cc cuc tn cng da vo cc dch v khng tn ti hoc da vo

Firewall kh tn cng. Ghi nht k:khi bt k kiu s kin no xy ra, nh thng tin c kh nng s

c thu thp li cho php s phn tch chi tit hoc gip cho vic quyt nh bt

cc hot ng hay khng. Hot ng ca vic ghi li mt s kin l mt s phn hi th

ng. Bng cch thu thp cc thng tin c bn (nh IP, ngy gi, loi s kin, tin trnh

IDS, ngi s dng IDS, ..v..v), IDS nhn ra c mt s kin m bo cn phi ch .

Ghi nht k b sung:mt s phn hi r rng s thu thp c nhiu thng tin

hn v cc s kin bnh thng cn c gi li. V d, nu mt cu hnh ghi nht k

thng thng tp hp cc a ch IP v cc cng dnh cho cc kt ni, th vic nhn ra

mt s kin c th gy ra vic logging ca ngi s dng IDS, tin trnh IDS hoc ton

b lu lng vt qua kt ni.

Cc cnh bo IDS khng ch cnh bo mt s kin xy ra, m n cn cho

bit v s kin . Mt s cnh bo c th c nhiu dng khc nhau nh: mn hnh rung

ln, hoc ci bo ng ku ln, nhng thng bo c dng th t, hay my nhn tin. Tythuc vo tnh hnh ca s kin v cu hnh ca IDS, c mt loi cnh bo thch hp.

Ch : Cu hnh mt IDS gi mt li cnh bo khi c mt s kin xy ra c

th gy ra nhiu vn trong cc h thng th t hoc cc h thng nhn tin nu nh s

lng cc s kin xy ra nhiu trong mt khong thi gian ngn.

S phn hi ch ng:Mt s phn hi ch ng ti mt s kin cho php hot ng c kh nng lm

gim bt nhanh nht s nh hng ca s kin. Tuy nhin, nu khng c s kim sot

cn thn s phn nhnh ca cc hot ng v kim tra cn thn cc tp quy tc, cc li

phn hi ch ng c th gy ra s ph v hoc t chi dch v ca nhng ngi dng

hp php.

Kt thc cc kt ni, cc phin, hoc cc tin trnh: C l hot ng d dng

nht l kt thc s kin. iu ny c th c thc hin bng cch kt thc kt ni ca

k tn cng ang s dng (iu ny c th thc hin c nu nh s kin ang s dng

mt kt ni TCP), kt thc phin ca ngi s dng, hoc kt thc cc tin trnh gy ra



15/31


vn .

Vic xc nh thc th no s kt thc c th c thc hin bi vic kho st s

kin. Nu mt tin trnh ang c dng trn nhiu ti nguyn ca h thng, loi b cc

hot ng dng cc tin trnh li. Nu ngi dng ang c gng truy xut vo mt khuvc d b tn cng hoc cc file khng c php truy xut, th vic kt thc phin lm

vic ca ngi dng ny l hot ng thch hp. Nu mt k tn cng dang s dng mt

kt ni mng ca mt h thng c gng xm nhp vo mt khu vc d b tn cng th

vic kt thc kt ni l thch hp.

Ch : S kt thc cng c th gy ra t chi dch v ti nhng ngi dng hp

php. V vy, cn phi chc chn rng bn c th xc nh c chnh xc s kin xm

nhp trc khi s dng loi hot ng ny.

Cu hnh li mng:Nu chng ta nhn thy rng c nhiu s c gng c

tin hnh truy nhp ti cc h thng mng ca cng ty t mt a ch IP nht nh,

chng ta c th c kh nng nhn thy mt cuc tn cng ang n t cc a ch IP c

bit. Trong trng hp ny, hy cu hnh li Firewall hoc b nh tuyn. Cu hnh li c

th tm thi hoc lu di cn ty thuc vo cc a ch IP v cc chi nhnh c cc hot

ng ti cng ty (ng tt c cc lu lng ti mt i tc doanh nghip trong nhiungy iu ny c th c nhng nh hng xu n nng sut). Cc lut mi hoc cc b

lc mi c th khng cho php bt k cc kt ni no t v tr b xm phm hoc cc kt

ni n cc cng c bit.

S nh la: Mt loi khc ca s phn hi ch ng l s nh la. Mt

s phn hi nh la d nh nh la k tn cng tin rng hn ta xm nhp thnh

cng nhng hn cha kp khm ph h thng. Cng lc , h thng ch ang c gng

tin hnh bo v cht ch hn na chng li k tn cng hoc d d k tn cng n

mt h thng khc hoc mt phn ca h thng ch c di n v tr an ton.

Mt loi na ca li phn hi nh la l honey pot. Mt honey pot l mt

h thng hoc i tng no trng c v d b tn cng la k tn cng tn cng

vo . Cng lc , mt k tn cng s quan st tt c cc hot ng u c ghi li.

Tt nhin, thng tin ca honey pot khng phi l tht, nhng c v l i tng quan

trng nht v tr .

T ng ha v s p tr t ng:



16/31


Mt s phn hi t ng l cc hot ng quyt nh trc s c tin hnh khi

mt s kin c bit xy ra. Mt s phn hi nh vy thng c khng ch bi mt

th tc nhn dng cc s kch hot c bit bt u cc hot ng. Cc hot ng ny

c th hn ch t dng b ng n dng ch ng. Mt s phn hi t ng c th ckim sot bi nhiu ngi hoc bi nhiu my vi tnh.

Khi phn hi ti mt bin c c kim sot hon ton bi mt my vi tnh khng

cn s can thip ca con ngi, th chng ta c c mt s phn hi t ng. Mt s

phn hi nh th cn phi c kim sot mt cch r rng, k cng v kim tra k cc

quy tc. V s phn hi ny khng yu cu s can thip ca con ngi, n s xy ra nu

nh gp cc iu kin ca cc quy tc. Tht d dng to ra mt s phn hi t dng

ph v ton b lu lng mng.

Chnh sch S phn hi bi ngthch hp

S phn hi ch ng thchhp

Pht hin cc cuc tncng

Ghi nht kB sung nht kLi cnh bo

Khng c s phn hi ch ngthch hp

Ngn chn cc cuc tn

cng

Ghi nht k

Li cnh bo

Kt thc kt ni

Kt thc tin trnhCu hnh li b nh tuyn hocFirewall

Pht hin cc chnhsch b xm phm

Nht kLi cnh bo

Khng c s phn hi ch ngthch hp

Cng bc cc chnhsch s dng

Ghi nht kLi cnh bo

Kt thc kt niCu hnh li proxy

Cng bc cc chnh

sch kt ni

Ghi nht k

Li cnh bo

Kt thc kt ni

Cu hnh li b nh tuyn hocFirewall

Tp hp du hiu Ghi nht kB sung nht kLi cnh bo

nh laKt thc kt ni

Bng 5-2: Nhng v d v cc s phn hi ch ng v b ng thch hp c

cung cp a ra cho cng mt tp cc chnh sch xc nh trn.

V.2.4. Thit lp cc ThresholdCc ngng (threshold) cung cp cho s bo v chng li cc du hiu c kh



17/31


nng sai, do lm tng cng hiu lc ca chnh sch IDS ca bn. Cc ngng c th

c s dng lc ra cc s kin ngu nhin t cc s kin c ch tm. V d, mt

ngi lm thu c th kt ni n mt website khng lin quan n doanh nghip bi cc

lin kt c cung cp t vic tm kim. Ngi lao ng c th ang thc hin mt stm kim hp php, nhng mt website khng thch hp c th c bo co bi cc

tham s tm kim sai. Trong trng hp ny, IDS s khng a ra bo co v mt s kin

n l. Mt bo co nh vy s ch dng cc ti nguyn kim sot mt hnh ng v ti.

Ging nh th, cc ngng pht hin ra cc cuc tn cng cn phi c t ra

l i cc cuc thm d mc thp hoc cc s kin thu nht thng n. S kin nh vy c

th bao gm mt s c gng tm ra mt ngi lao ng. Finger mt chng trnh c

dng trn cc h iu hnh Unix (lin quan n Internet), dng tm thy mt ngi

dng no c vo mng (internet) khng. Lnh ny hin th thng tin v ngi dng,

ty theo h iu hnh v chnh sch an ton. Lnh ny i hi tn ca ngi dng. S c

gng finger n nhiu ngi lao ng trong mt thi gian ngn, cng c th l mt du

hiu ca mt k tn cng mun thu thp tin tc c gi tr trn cc h thng ca bn.

Vic la chn cc ngng thch hp cho mt IDS cn ph thuc trc tip vo cc

loi s kin v nhng s vi phm chnh sch c th xy ra. Khng th no xc nh cmt tp cc ngng c th c ng dng ph bin. Tuy nhin, c th xc nh c cc

tham s xem xt trong vic t cc ngng. Cc tham s l:

S thnh tho ca ngi dng: mt s lng ng k cc li ca ngi dng

c th gy ra cc li cnh bo sai.

Tc mng: Cc mng chy chm cng c th gy ra cc cnh bo sai i vi

cc s kin yu cu cc gi phi chc chn xut hin trong khong thi gian c bit.

i hi cc kt ni mng: Nu IDS c cu hnh cnh bo trn cc kt ni

mng no v cc kt ni mng ny thng xy ra cc cnh bo, th cc cnh bo sai s

pht sinh.

Ngi qun tr/khi lng cng vic ca nhn vin bo mt: Khi lng cng

vic cao ca nhn vin bo mt c th cho php cc ngng cao s nh hng n s

lng cc cnh bo sai.

nhy ca cm bin: Nu nh cm bin rt nhy, cn phi t cc ngng

cao trnh xa cc li cnh bo sai.



18/31


Hiu lc ca chng trnh bo mt: Nu nh chng trnh bo mt ca mt t

chc rt hiu lc, mt IDS c t phng th trn mng n c kh nng lm cho cc

cuc tn cng tht bi.

Tn ti cc tnh trng d b tn cng: Khng c l do no cnh bo cho cck tn cng v cc tnh trng d b tn cng khng tn ti trn mng.

nhy ca cc h thng v thng tin: thng tin c dng trong mt t chc

cng nhy th cn phi t cc ngng thp cho cc li cnh bo.

Hu qu ca xc thc sai: Cnh bo sai s rt nghim trng, n c th thch

hp vi vic t cc ngng cao, nh th s gim bt c cc du hiu sai.

Hu qu ca t chi sai: Ngc li, hu qu ca cc t chi sai l rt nghimtrng, n c th thch hp vi vic t cc ngng thp.

Ch :Cc ngng l c trng ring ca mi T chc. Cc nguyn tc chung c

th c cung cp, nhng mi T chc phi tin hnh xc nh da trn cc tham s.

V.2.5. Ci t chnh sch

Trn thc t vic ci t chnh sch ca IDS cn phi lp k hoch tht cn thn.

Phi lun ghi nh n iu ny, chnh sch IDS c trin khai trn giy vi cc cuckim nghim v kinh nghim thc t. Mi chnh sch IDS cn phi c trin khai v

vic thit lp cc ngng cn phi c tnh ton, IDS nn c t vo cng ch vi

chnh sch cui t hn cc phm vi ch ng. IDS cn c kim sot cht ch cc

khong thi gian trong khi cc ngng c nh sn. Theo cch ny, kinh nghim vi

chnh sch c th c li khng dn n vic ph v lu lng mng hp l hoc s truy

xut vo my vi tnh.

Trong sut qu trnh chy th v th nghim bt k s kho st no cng c bt

u t IDS phi c thc hin mt cch cn thn nh gi ng n thng tin c

cung cp bi IDS.

V.3. Qun l v s dng IDS

Khi nim pht hin xm nhp khng cn mi m trong lnh vc bo mt. Tuy

nhin, khng phi cho n tn by gi cc h thng IDS mi tr nn kh dng trn th

trng thng mi. Hin nay c mt vi h thng mng HIDS kh dng c a ra

bi nhiu nh cung cp khc nhau.



19/31


Trc khi quyt nh ci t mt IDS cho mng ca T chc, t chc nn hiu

cc mc ch ca chng trnh. C gng cu hnh v qun l mt IDS ng cch rt quan

trng n c li cho vic tin hnh ngn chn xm nhp, bng cch to ra mt chng

trnh bo mt tt. Nu mc ch ca IDS bao gm kh nng kim sot cc cuc tn cng 24

gi/ngy, th cc nhn vin s cn phi m bo c tt c cc gi ca ngy v c ban

m. ng thi, ngi qun tr h thng s c yu cu lm vic vi nhn vin bo mt

xc nh s tn cng v nh th lm th no qun l bin c. Cc th tc qun l

bin c s c to v th nghim trong qu trnh ci t IDS.

Thng tin m IDS cung cp

Mt h thng pht hin xm nhp ch c th bo co nhng g m n c cu

hnh cho vic bo co. C 2 thnh phn cu hnh mt IDS. Thnh phn u tin l

cc ch k ca s tn cng c lp trnh trong h thng. Thnh phn th hai l

cc s kin b sung m ngi qun tr nhn ra. y c th bao gm cc loi lu lng

hoc cc loi ca thng bo log.

Vi s quan tm n cc ch k c lp trnh trc, nh cung cp hoc ngi to

h thng t cc li gii thch ca h trn cc s kin quan trng. Cc vn quan trng

c gn cho mt T chc c th khc bit so vi s gn sn ca cc nh sn xut. iu

c th thch hp vi s thay i cc thit lp u tin mc nh ca mt vi ch k

hoc loi b hon ton nhng ch k ny nu n khng ph hp vi T chc.

Ch : Cn phi ghi nh rng IDS s ch cnh bo cc s kin m n nhn bit

c. Nu h thng ang c kim sot bi mt cm bin HIDS khng ghi li cc s

kin, cm bin HIDS s khng nhn bit c cc s kin ny. Tng t nh th, nu

mt cm bin NIDS khng th nhn ra lu lng, n s khng cnh bo cho d nu nh

s kin xy ra.

Gi s rng IDS c cu hnh ng, th c bn loi s kin m IDS s ch ra cho

bn: Cc s kin thu thp thng tin; Cc s kin tn cng; Cc s vi phm chnh sch;

Cc s kin khng r rng hoc ng nghi ng.

V.3.1. Do thm cc s kin

Cc s kin do tham l n lc ca k tn cng tp hp thng tin v mt h



20/31


thng hoc nhiu h thng trc khi n thc hin mt cuc tn cng. Cc s kin ny c

th c chia lm 5 loi: Do thm; Qut cng; Qut Trojan; Vulnerability scans; File

snooping. a s cc s kin ny s xut hin trn mng t cc a ch ca cc h thng

bn ngoi Internet.Cc s kin thu thp thng tin c gng tp hp thng tin v cc h thng. Chng

khng phi l cc s kin tha hip vi h thng. Mt vi h thng IDS thng mi cu

hnh cc s kin thu thp tha hip vi mt h thng, iu ny khng ph hp.

Do thm l vic c gng nhn dng cc h thng tn ti trn mng, cch ny

ngn cn h thng ngun b nhn din. Cch ny s do thm cc a ch IP trn cc cm

bin NIDS v n thng qut c s lng ln cc a ch IP. i ph vi vic do

thm cn phi nhn dng c h thng ngun v c nhn s dng h thng ngun ang

tha hip vi h thng.

Qut cng c dng xc nh cc dch v c h tr bi cc h thng

trn mng. H thng pht hin xm nhp s nhn dng c mt hot ng qut cng khi

cc cng (theo ngng) trn mt h thng n c m trong mt khong thi gian

ngn. Cc cm bin NIDS v HIDS s nhn ra hot ng qut cng v s bo co v hot

ng ny. Vic i ph vi qut cng cng ging nh i ph vi vic do thm. Qut Trojanhin ti c rt nhiu chng trnh Trojan. Cc cm bin NIDS c

cc ch k nhn dng ra chng. ng tic, lu lng ti cc chng trnh Trojan

thng c xc nh bi cng ch ca cc gi tin. y l nguyn nhn ca pht sinh

tht bi trong vic nhn dng cc chng trnh Trojan. Trong trng hp ny cn phi

kho st cng ngun ca lu lng. V d, nu lu lng c ngun trn cng 80 th l

lu lng t mt Website.

Mt trong nhng loi tt nht Qut Trojan l BackOrifice. BackOrifice s dng

cng 31337 v thng thng mt k tn cng s qut mt dy cc a ch IP ca cng

ny. BackOrifice cng bao gm chc nng ping host c tin hnh t ng. iu ny

khng ng lo nu nh lu lng ca mt h thng trong khng c xc nh. S i

ph thch hp vi vn ny l lin lc vi k nm gi h thng ngun h thng

tin hnh tha hip.

Vulnerability Scans s xut hin trn mt NIDS mt s lng ln cc ch ktn cng khc nhau. Thng thng, vic qut ny c tin hnh cc h thng ang



21/31


hot ng. Him khi tin hnh qut cc dy a ch ca cc h thng khng hot ng.

Vulnerability (d b tn cng) scans t mt k tn cng khng th phn bit c

vi Vulnerability scans c thc hin bi cc hng th nghim bo mt (trong nhiu

trng hp cc cng c nh th c s dng). Trong bt k trng hp no, vicqut t n khng th tha hip c vi mt h thng nhng nu mt hacker thc hin

qut th tt c cc h thng d xm nhp s b tn cng. K s hu h thng ngun c th

lin lc c vi cc h thng bn trong chc chn rng chng c th lm thay i

ngy gi.

File Snooping hoc th cc quyn s dng file c thc hin bi mt ngi

dng bn trong. Ngi dng ang c gng xc nh cc file no c th c truy cp v

ci g chng c th lu tr. Kiu thu thp thng tin ny ch xut hin trn mt cm bin

HIDS v h thng ang ghi nht k cc truy xut tri php. Cc s kin n l hu nh

chc chn li nhng nu mt mu c nhn thy th ngi dng nn lin h xc nh

ci g ang lm.

Cc s kin tn cng:Cc s kin tn cng l cc s kin yu cu s phn hi nhanh nht. Nu IDS

c cu hnh ch nhn dng mt s kin u tin cao nu bit mt im d b tn cng

bn trong b khai thc. Trong trng hp ny, th tc phn hi bin c phi c ci

t ngay lp tc.

Cn phi ghi nh rng IDS s khng bit s khc nhau gia mt s tn cng tht

s v mt s vulnerability scan tm kim mt s tn cng. Ngi qun tr IDS phi

nh gi c thng tin c hin th bi IDS a ra quyt nh nu l mt cuc

tn cng tht s. Trc tin cn phi tm kim s lng cc s kin. Nu thy s cc chk tn cng khc nhau trn cng mt h thng th n c th l mt cuc tn cng thc s.

Cc vi phm chnh sch:a s cc h thng IDS thch ng vi cc ch k dnh cho cc s kin nh: Chia

s file (Gnutella, Kazaa, v.v..); Thng bo ngay lp tc; Cc phin Telnet; Cc lnh r

(rlogin, rsh, rexec).

Trong a s cc T chc vic s dng kiu lu lng ny chng li chnh sch ca

t chc. Cc vi phm chnh sch nh vy nguy him cho t chc hn cc cuc tn cng



22/31


tht s. Trong a s cc trng hp, s kin tht s xy ra. Nh vy, cc file ang

c chia s hoc cc h thng c cu hnh cho php rlogin (ng nhp t xa).

Lm sao t chc ca bn la chn phc p ti cc vi phm chnh sch khc

nhau, iu ny cn ty thuc vo cc chnh sch bn trong v cc cng vic ca t chc.Tuy nhin, ti thiu ngi qun tr h thng hoc c nhn c lin quan phi hiu cc

chnh sch ca t chc.

Cc s kin kh nghi:Cc s kin khng thun li ri vo cc s kin ng ng. Mt s kin kh nghi l

mt s kin n gin khng hiu c. V d, mt kha registry ca Windows NT server

b thay i m khng c l do r rng. N c v khng phi l mt s tn cng vkhng c du hiu ti sao n thay i. Mt v d khc c th l mt gi tin vi cc

header flags vi phm giao thc chun. Liu y c phi l mt s do thm mt h

thng c card giao din mng km, hoc mt gi tin c li truyn ti? Cc s kin c

bo co bi IDS khng cung cp thng tin y tr li cho cc cu hi v nhn dng

tt s kin hoc mt s tn cng.

Tng t nh cc s kh nghi c th bt ng v lu lng mng xut hin trn

mng bn trong? Cc s kin kh nghi cn phi c iu tra ti phm vi cho php bi

cc ti nguyn sn c.

Ch : iu tra v cc s kin kh nghi c th chim a s thi gian lm vic.

Thng thng iu ny ph hp cc s kin ny i hoc vt qua thng tin trn mng

hoc cc qun tr h thng.

V.3.2. Khm ph cc s kin kh nghi

Khi mt hnh ng kh nghi xut hin, c bn bc c tin hnh xc nh

hnh ng l mt hot ng hp php hay mt s c gng xm nhp, hoc n l mt

hnh vi hp php. Cc bc c trnh by nh sau:

1. Nhn dng cc h thng.

2. Ghi li lu lng b sung gia ngun v ch.

3. Ghi li ton b lu lng t ngun.

4. Ghi li cc ni dung ca cc gi tin t ngun.

Lm theo mi bc s xc nh cc du hiu ca s kh nghi nhn dng



23/31


hnh ng l mt s tn cng hay khng phi. Cc bc ny m t c m t cc

phn di y:

Ch : C mt iu cn phi ghi nh trong khi iu tra mt s kin. Nu mt s

kin xy ra mt ln v khng lp li th rt kh cho vic bit thm thng tin b sung.iu ny s kh c th hon thnh c vic iu tra.

Nhn dng cc h thng:

Bc u tin trong vic kho st cc hot ng kh nghi l phi nhn dng cc h

thng c lin quan. y chnh l vn gii quyt chuyn i cc a ch IP sang cc tn

host. Trong mt vi trng hp, tn host c tm thy (h thng c th khng c DNS,

n c th l mt DHCP client, mt DNS server xa c th khng hot ng, v.v).

Nu DNS tra cu tht bi, th bn cn phi c gng nhn dng host bng cch tra cu

thng qua cc phng tin khc nh American Registry of Internet Numbers (ARIN) ti:

http://www.arin.net, Internic ti: http://www.networksolutions.com/ , hoc cc th mc

Internet khc. Cc cng c nh: Sam Spade ( tm ti: http://samspade.org ) cng c th c

ch y. S tht bi nhn dng ngun hoc ni n ca cc hot ng kh nghi, y

cng khng hon ton l du hiu nhn bit mt s kin l mt hot ng tn cng.

Tng t, nhn dng thnh cng cc h thng thng thng cng khng cung cp cdu hiu l mt hot ng hp php.

Ch : Ngun ca cc lu lng kh nghi cha chc l ngun cui cng ca

mt cuc tn cng. Tn cng kiu t chi dch v thng s dng cc a ch ngun

nh la, v s truy xut tri php hoc thm d c th xut pht t cc h thng ca mt

k tn cng khai thc.

Ghi li cc lu lng b sung gia ngun v ch:Vic quan st mt s kin n l (nh mt s xm phm giao thc IP) c th

khng cung cp nht k y lu lng gia hai h thng. Theo cch nhn nhn khc,

tht l quan trng hiu c ng cnh ca hot ng kh nghi. Mt v d tt hiu

iu ny l ch k tn cng WIZ (SendMail). y l mt ch k nhn dng mt s

c gng khai thc lnh WIZ trong SendMail. S kin bo mt ny nhn dng bt k th

hin no ca WIZ trong thng ip Mail. Nu WIZ xut hin trong ni dung ca

thng ip, th y cha chc phi l mt s c gn xm nhp. Hiu c ng cnh

ca s kin s gip cho vic nhn dng c iu ny trnh khi s tht bi.

http://www.arin.net/http://www.networksolutions.com/http://samspade.org/http://www.arin.net/http://www.networksolutions.com/http://samspade.org/


24/31


Tn s kinHotng

IP ngun IP ch Giao thcCngngun

Cngch

SUS_ACT Cnhbo,

ghi li

Ngunca cc s

kin khnghi

ch cacc s

kin khnghi

TCP, UDP, ICMP,ty thuc vo cc

loi hot ng kimquan st c

Bt k Bt k

Bng 5.5: Mt v d v cu hnh IDS ghi li tt c lu lng gi hai h thng.

Cu hnh IDS kim sot ton b lu lng gia ngun v ch ca cc hot

ng kh nghi. V d v vn ny c trnh by ti bng 5.5.

Mt cu hi c t ra l: vic ghi li cc lu lng gia cc h thng ngun v

ch cho chng ta bit c nhng g? Trc tin, n cho bit v nhng lu lng khc

nhau ang din ra gia cc h thng ngun v ch. Nu gi tin WIZ l lu lng duy

nht gia hai h thng, th iu ny c th cho chng ta bit c rng ang c mt s c

gng xm phm h thng. Mt khc, nu chng ta thy mt lng ln lu lng SMTP

(mail) gia hai h thng, th chng ta c th xem l lu lng mail hp l.

Ghi li ton b lu lng t ngun:

Gi thit rng d liu c tp hp bi vic ghi li ton b lu lng gia hai h

thng kh c th xc nh c u l cc hot ng hp l hay khng. Chng ta c thbt u tp hp lu lng khc t ngun. Cn phi ghi nh rng, iu ny c th c phn

gii hn. Nu ngun ca cc hot ng kh nghi nm trn mt vi mng xa, bn s ch

c th kim sot c lu lng i vo v tr ca bn. Nu ngun l cc b, bn c th c

kh nng tng hp c ton b lu lng t my v v vy bn s c c mt s

quyt nh nhng g thc s ang tip tc.

bt u vic tng hp ton b lu lng t ngun, cu hnh IDS pht hin ra

s tng hp ton b thng tin t ngun kh nghi. V d dnh cho cu hnh nh vy c

trnh by trong bng 5.6.

Tn skin

Hotng

IPngun

IPch

Giao thcCngngu

n

Cngch

SUS_SRC Cnh bo,ghi li

Ngun cacc s kin

kh nghi

Bt k TCP, UDP, ICMP,ty thuc vo cc

loi hot ng kimquan st c

Bt k Bt k

Bng 5.6: Cu hnh IDS tng hp tt c lu lng t mt a ch ngun c lin quan.



25/31


Cu hnh ny c th pht sinh thm thng tin no khng c li cho vic kho

st ca bn. Min l bn c th xem xt thng tin mt cch khch quan, bn c th dng

nht k ca s vic ny gip bn c c mt ci nhn r nt v cc tng tc tip

theo gia ngun v v tr ca bn.C gng hiu hot ng m bn ang nhn thy. N c phi l lu lng Web? N

c phi l lu lng mail? C phi lu lng bt ngun t ngun kh nghi hoc trn v tr

ca bn?

im ny, trong s kho st bn cn phi bit nhng iu sau:

Tn ca h thng ngun

Loi lu lng, tn s lu lng hoc lu lng trao i gia ngun v ch. Loi lu lng, tn s lu lng hoc lu lng trao i gia ngun v cc h

thng ti v tr ca bn.

Thng tin ny gip cho bn c c ci nhn r nt v tnh t nhin ca lu

lng kh nghi. Tuy nhin, y cng khng phi l du hiu bn c th quyt nh

c y c phi l mt s c gng xm nhp hay khng.

Ghi cc ni dung ca cc gi tin ca ngun:Bc cui cng trong vic kho st l ghi li cc ni dung ca cc gi tin t

ngun. iu ny ni ln rng phng php ny ch c dng trn cc giao thc da trn

nn vn bn nh: telnet, FTP, SMTP, v HTTP (ti phm vi no ).

Nu cc giao thc nh phn hoc m ha c dng, th phng php ny khng

c li ch g c. lm iu ny, thay i cu hnh IDS nh trong bng 5.6.

Bng cch ghi li cc ni dung ca gi tin, bn c th thu thp c mt h s y

v phin lm vic v cc lnh no c s dng gi n ch.

Mt ln bn bt gi c d liu no , xc nh xem bn tm thy c

nhng g. C phi y l mt phin lm vic c du hiu v kh nng ca mt s tn

cng hay l mt hot ng hp l? Thng tin ny c phi hp vi thng tin khc

bn thu thp c i n cu tr li.

Nu bn khng th a ra c quyt nh, th hy c gng tm kim mt du hiu

n l no da vo kinh nghim hiu bit v cc giao thc khi tin hnh kho st ca

bn.



26/31


Tn skin

Hot ng IPngun

IPch

Giaothc

Cngngun

Cng ch

SUS_ACT Cnh bo,ghi li cc

ni dungca gi tin

Ngunca cc

s kinkh nghi

ch cacc s

kin khnghi

TCPhoc

UDP

Bt k Cng m lulng c

xc nh lkh nghi

SUS_ACT Cnh bo,ghi li ccni dungca gi tin

ch cacc hotng khnghi

Ngunca cchot ngkh nghi

TCPhocUDP

Cng mlulngc xcnh lkh nghi

Bt k

Bng 5.7: Mt v d v cu hnh IDS bt gi cc ni dung ca gi tin.

V.3.3. Ngn chn xm nhp

IPS tr thnh tiu im cho cc sn phm gn y trong lnh vc phng chng

xm nhp. Mt khi nim mi dng thay i kh nng chng tr ca IDS chng li

s xm nhp t mt ni no . C nhiu sn phm xc tin khi nim ny. Tuy

nhin, mt s sn phm c thit lp cng c kh nng ny.

chng li c mt s xm nhp t mt ni no , th mt cuc tn cng thc

s phi c ngn chn ngay trc mc tiu ca h thng ch hoc ngn chn ngay

trc khi h thng ch thc thi cc m d b tn cng.

C ch chng li mt cuc tn cng c th d dng thy c trn mt HIDS.

V d nh xem: System call analyzers hoc application behavior analyzers. Nu li gi

mt ng dng xut hin mt s tn cng th system call analyzer c th chng li li gi

thc thi t h iu hnh. Nu mt ng dng c gng thc hin mt ng dng n khng

c php thc hin th application behavior analyzers c th chng li vic thc hin .Trong c hai trng hp, HIDS u c th chng li tn cng.

Dng NIDS chng li mt cuc tn cng phc tp hn nhiu. Trong cu hnh

NIDS chun, cc b cm bin c t ni c th thy c lu lng ca mng. Khi

tn cng vo ng kt ni, th cc b cm bin s bt gi cc gi tin v bt u phn

tch n. i khi, cc b cm bin phi quyt nh cc gi tin c phi l mt cuc tn cng

hay khng a ra hnh ng thch hp. Hot ng ny thng l kt thc mt s kt

ni (ch c khi s xm nhp s dng kt ni TCP) hoc mt Firewall cu hnh li kho

cc lu lng t ngun.



27/31


Sau thi gian di NIDS lm vic khng tt. Nh cc b cm bin ang phn tch

cc gi, trong khi cc gi li ang tip tc i vo trong mng. Trong a s trng hp,

gi tin n c ch trc khi kt ni cha kt thc hoc khi m Firewall c th thc

hin bt gi li. Bi vy, cc cuc xm nhp thng tho hip c vi h thng chtrc khi cc b cm ng a ra hot ng chng li n.

i vi mt NIDS chng li cc cuc tn cng tha hip thnh cng vi mt h

thng, quyt nh v mt gi tin cn phi c tin hnh trc khi gi tin c php

i ti h thng ch. iu ny c ngha l, cu trc ca mt h thng NIDS cn phi c

thay i cm bin NIDS c t ni tuyn gia lu lng (ging nh mt Firewall)

hn l vic ch kim sot lu lng.

Tm li:

IPS: L mt h thng chng xm nhp (Intrusion Prevention System IPS)

c nh ngha l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin

xm nhp v c th ngn chn cc nguy c gy mt an ninh mng. IDS&IPS c rt nhiu

im chung, do h thng IDS& IPS c th c gi chung l IDP-Intrusion Detection

and Prevention. Trc cc hn ch ca h thng IDS, mt vn c t ra l lm sao

c th t ng ngn chn c cc tn cng ch khng ch a ra cc cnh bo nhmgim thiu cng vic ca ngi qun tr h thng. H thng IPS c ra i (nm 2003)

v ngay sau n c ph bin rng ri.

Kt hp vi vic nng cp cc thnh phn qun tr, h thng IPS xut hin dn

thay th cho IDS bi n gim bt c cc yu cu tc ng ca con ngi trong vic

p tr li cc nguy c pht hin c, cng nh gim bt c phn no gnh nng ca

vic vn hnh. Hn na trong mt s trng hp c bit, mt IPS c th hot ng nh

mt IDS bng vic ngt b tnh nng ngn chn xm nhp. Ngy nay cc h thng mng

u hng ti s dng cc gii php IPS thay v h thng IDS c.

Pht hin xm nhp l tin trnh theo di cc s kin xy ra trn mt h thng

my tnh hay h thng mng, phn tch chng tm ra cc du hiu xm nhp bt hp

php. Xm nhp bt hp php c nh ngha l s c gng tm mi cch xm hi

n tnh ton vn, tnh sn sng, tnh c th tin cy hay l s c gng vt qua cc c ch

bo mt ca h thng my tnh hay mng . Vic xm nhp c th l xut pht t mt ktn cng no trn mng Internet nhm ginh quyn truy cp h thng, hay cng c th



28/31


l mt ngi dng c php trong h thng mun chim ot cc quyn khc m h

cha c cp pht.

Hnh 5.3: m bo an ninh mng vi IPS

C hai vn chnh l: kh nng t chi dch v v cc vn lin quan n

tnh kh dng.

T chi dch v:Ngn chn xm nhp c c ch phn hi chnh, l m rng cnh bo ca h thng,

ca mng v ca cc qun tr bo mt. C ch chnh by gi l ngn chn c cc hot

ng c gng th. Khi mt IDS bt c mt s tn cng, n chn mt hot ng angxy ra, c th l li gi h thng, hot ng ca ng dng, hoc kt ni mng. S chn

ny s ngn chn vic tn cng. Tt nhin, cn phi gi thit rng IDS nhn dng ng

mt hot ng tn cng.

Nu hot ng khng phi l mt s tn cng v IDS chn hot ng khi n ang

xy ra, th IDS chn phi mt hot ng hp l. iu ny c ngha l IDS gy ra

mt s t chi dch v xy ra. Nu hot ng ny gy ra mt vi vn bt thng

(nh mt gi tin vi cc li), th gi tin s c truyn li hoc c gng kt ni li c th

s thnh cng. Tuy nhin, nu IDS nhn dng sai cc hot ng hoc cc lu lng hp



29/31


l l cc cuc tn cng, th y chnh l iu kin gy ra t chi dch v.

Ch :Cc cm bin IDS hin nay i khi b tht b khi ngn chn cc hot ng,

do khng c s hiu bit y v cc vn cu thnh ln kh nng tht bi v cc vn

cu thnh ln cc hot ng hp l l nguyn nhn ca cc vn .

Tnh kh dng:Tnh kh dng ca cc mng v cc h thng l mt phn quan trng ca bt k

vic ci t my tnh no. Cc t chc phi b ra mt s tin ln v phn ln thi gian

cu hnh cho cc mng v cc h thng ca h lm gim bt s tht bi. Nu cm bin

IDS c ci t theo cch cho ton b lu lng vt qua n, th cm bin NIDS phi

c cc yu cu v tnh kh dng cao ca cc thnh phn mng khc. Tng t i vi cccm bin HIDS c t trn h thng my ch. Nu phn mm cm bin b ph hy th

hot ng s b mt hoc s b dng li. Trong mi trng i hi tnh kh dng cao v

quan trng, cc vn ny cn phi c gii quyt trc khi cc h thng c ci t.

TNG KT CHNG 5:

Chng ny trnh by cc vn v IDS&IPS, cc loi IDS, v tr v vai tr ca

HIDS v NIDS trong cc s mng (Intranet/Extranet) c quan tm n yu t m bo

an ninh cho mng v ngn chn cc tnh hung xm nhp bt hp php (b tn cng) c

th xy ra.

Qun l v s dng IDS c cho l phn quan trng nht ca chng ny. y

trnh by r cc vn v do thm cc s kin, khm ph cc s kin kh nghi,, vi

mc ch gip ngi c thy c cu hnh, hot ng, s cn thit v li ch m h

thng IDS&IPS mang li.



30/31


C. HNH THC V PHNG PHP DY HC

a. Ni dung:

Trnh by bng kt hp vi trnh chiu Powerpoint

t vn , trao i

b. Sau khi hc xong l thuyt sinh vin vn dng tr li cc cu hi cui

chng h thng ha li kin thc chng.

D. TI LIU THAM KHO

Hc liu bt buc:

[1]. Nguyn Kim Tun, gio trnh An ninh Internet, 2011.

Hc liu tham kho:[1].Nguyn Kim Tun, gio trnhAn ton mng, 2007.[2].Nguyn Minh Nht, gio trnh Gii thiu An ninh mng, 2009.[3].Ross Anderson, Security Engineering (Version 1), 2001.[4].Chris Hare and Karanjit SiyanInternet, Firewalls and Network Security (2nd

edition), 1996.[5].Andrews S.Tanenbaum, Computer Networks (Fourth Edition), 2003.[6].Eric Maiwald, Fundamentals of Network Security, 2004.[7].William Stallings, Network Security Essential: Application and Standards (2 nd

edition), 2003.

* Cc tiu liu t m khng s dng trong chng ny.



31/31


E. CU HI/BI TP CHNG 5:

Cu 1: IDS l g? Vai tr ca IDS trong chnh sch an ninh mng? a ra v phn tch

mt s mng trong c s xut hin ca mt h thng IDS

Cu 2: Nguyn tc hot ng ca NIDS v HIDS l g? Phn bit s khc nhau gia

NIDS v HIDS? Cho s minh ha thy s khc nhau gia NIDS v HIDS.

Cu 3: Gii thch r v vai tr, hot ng v mc ch s dng ca cc loi cm bin

HIDS? Theo sinh vin th loi cm bin no mang li hiu qu cao nht trong vic m

bo an ninh cho mng Intranet? Gii thch r iu ny.

Cu 4: Phn tch r cc bc cn thc hin trong qu trnh thit k mt IDS. C g khcnhau gia thit k IDS v IPS khng?

Cu 5: Phn tch r hot ng ca mt IDS, IPS v cm bin da trn ch k ca HIDS?

Cu 6: Phn bit IDS v IPS. Xy dng mt m hnh an ninh cho mng ni b trong

c h thng IPS (da trn phn mm pht hin xm nhp no ).

Tap Bai Giang an Ninh Internet 5

Documents

Transcript of Tap Bai Giang an Ninh Internet 5